+++ /dev/null
-From: Harsha Sharma <harshasharmaiitr@gmail.com>
-Date: Wed, 27 Dec 2017 00:59:00 +0530
-Subject: [PATCH] netfilter: nf_tables: allocate handle and delete objects via
- handle
-
-This patch allows deletion of objects via unique handle which can be
-listed via '-a' option.
-
-Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
-
---- a/include/net/netfilter/nf_tables.h
-+++ b/include/net/netfilter/nf_tables.h
-@@ -370,6 +370,7 @@ void nft_unregister_set(struct nft_set_t
- * @list: table set list node
- * @bindings: list of set bindings
- * @name: name of the set
-+ * @handle: unique handle of the set
- * @ktype: key type (numeric type defined by userspace, not used in the kernel)
- * @dtype: data type (verdict or numeric type defined by userspace)
- * @objtype: object type (see NFT_OBJECT_* definitions)
-@@ -392,6 +393,7 @@ struct nft_set {
- struct list_head list;
- struct list_head bindings;
- char *name;
-+ u64 handle;
- u32 ktype;
- u32 dtype;
- u32 objtype;
-@@ -942,6 +944,7 @@ unsigned int nft_do_chain(struct nft_pkt
- * @objects: stateful objects in the table
- * @flowtables: flow tables in the table
- * @hgenerator: handle generator state
-+ * @handle: table handle
- * @use: number of chain references to this table
- * @flags: table flag (see enum nft_table_flags)
- * @genmask: generation mask
-@@ -955,6 +958,7 @@ struct nft_table {
- struct list_head objects;
- struct list_head flowtables;
- u64 hgenerator;
-+ u64 handle;
- u32 use;
- u16 family:6,
- flags:8,
-@@ -979,9 +983,9 @@ int nft_verdict_dump(struct sk_buff *skb
- * @name: name of this stateful object
- * @genmask: generation mask
- * @use: number of references to this stateful object
-- * @data: object data, layout depends on type
-+ * @handle: unique object handle
- * @ops: object operations
-- * @data: pointer to object data
-+ * @data: object data, layout depends on type
- */
- struct nft_object {
- struct list_head list;
-@@ -989,6 +993,7 @@ struct nft_object {
- struct nft_table *table;
- u32 genmask:2,
- use:30;
-+ u64 handle;
- /* runtime data below here */
- const struct nft_object_ops *ops ____cacheline_aligned;
- unsigned char data[]
-@@ -1070,6 +1075,7 @@ void nft_unregister_obj(struct nft_objec
- * @ops_len: number of hooks in array
- * @genmask: generation mask
- * @use: number of references to this flow table
-+ * @handle: unique object handle
- * @data: rhashtable and garbage collector
- * @ops: array of hooks
- */
-@@ -1082,6 +1088,7 @@ struct nft_flowtable {
- int ops_len;
- u32 genmask:2,
- use:30;
-+ u64 handle;
- /* runtime data below here */
- struct nf_hook_ops *ops ____cacheline_aligned;
- struct nf_flowtable data;
---- a/include/uapi/linux/netfilter/nf_tables.h
-+++ b/include/uapi/linux/netfilter/nf_tables.h
-@@ -174,6 +174,8 @@ enum nft_table_attributes {
- NFTA_TABLE_NAME,
- NFTA_TABLE_FLAGS,
- NFTA_TABLE_USE,
-+ NFTA_TABLE_HANDLE,
-+ NFTA_TABLE_PAD,
- __NFTA_TABLE_MAX
- };
- #define NFTA_TABLE_MAX (__NFTA_TABLE_MAX - 1)
-@@ -317,6 +319,7 @@ enum nft_set_desc_attributes {
- * @NFTA_SET_GC_INTERVAL: garbage collection interval (NLA_U32)
- * @NFTA_SET_USERDATA: user data (NLA_BINARY)
- * @NFTA_SET_OBJ_TYPE: stateful object type (NLA_U32: NFT_OBJECT_*)
-+ * @NFTA_SET_HANDLE: set handle (NLA_U64)
- */
- enum nft_set_attributes {
- NFTA_SET_UNSPEC,
-@@ -335,6 +338,7 @@ enum nft_set_attributes {
- NFTA_SET_USERDATA,
- NFTA_SET_PAD,
- NFTA_SET_OBJ_TYPE,
-+ NFTA_SET_HANDLE,
- __NFTA_SET_MAX
- };
- #define NFTA_SET_MAX (__NFTA_SET_MAX - 1)
-@@ -1314,6 +1318,7 @@ enum nft_ct_helper_attributes {
- * @NFTA_OBJ_TYPE: stateful object type (NLA_U32)
- * @NFTA_OBJ_DATA: stateful object data (NLA_NESTED)
- * @NFTA_OBJ_USE: number of references to this expression (NLA_U32)
-+ * @NFTA_OBJ_HANDLE: object handle (NLA_U64)
- */
- enum nft_object_attributes {
- NFTA_OBJ_UNSPEC,
-@@ -1322,6 +1327,8 @@ enum nft_object_attributes {
- NFTA_OBJ_TYPE,
- NFTA_OBJ_DATA,
- NFTA_OBJ_USE,
-+ NFTA_OBJ_HANDLE,
-+ NFTA_OBJ_PAD,
- __NFTA_OBJ_MAX
- };
- #define NFTA_OBJ_MAX (__NFTA_OBJ_MAX - 1)
-@@ -1333,6 +1340,7 @@ enum nft_object_attributes {
- * @NFTA_FLOWTABLE_NAME: name of this flow table (NLA_STRING)
- * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32)
- * @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32)
-+ * @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64)
- */
- enum nft_flowtable_attributes {
- NFTA_FLOWTABLE_UNSPEC,
-@@ -1340,6 +1348,8 @@ enum nft_flowtable_attributes {
- NFTA_FLOWTABLE_NAME,
- NFTA_FLOWTABLE_HOOK,
- NFTA_FLOWTABLE_USE,
-+ NFTA_FLOWTABLE_HANDLE,
-+ NFTA_FLOWTABLE_PAD,
- __NFTA_FLOWTABLE_MAX
- };
- #define NFTA_FLOWTABLE_MAX (__NFTA_FLOWTABLE_MAX - 1)
---- a/net/netfilter/nf_tables_api.c
-+++ b/net/netfilter/nf_tables_api.c
-@@ -26,6 +26,7 @@
- static LIST_HEAD(nf_tables_expressions);
- static LIST_HEAD(nf_tables_objects);
- static LIST_HEAD(nf_tables_flowtables);
-+static u64 table_handle;
-
- static void nft_ctx_init(struct nft_ctx *ctx,
- struct net *net,
-@@ -376,6 +377,20 @@ static struct nft_table *nft_table_looku
- return NULL;
- }
-
-+static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
-+ const struct nlattr *nla,
-+ u8 genmask)
-+{
-+ struct nft_table *table;
-+
-+ list_for_each_entry(table, &net->nft.tables, list) {
-+ if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
-+ nft_active_genmask(table, genmask))
-+ return table;
-+ }
-+ return NULL;
-+}
-+
- static struct nft_table *nf_tables_table_lookup(const struct net *net,
- const struct nlattr *nla,
- u8 family, u8 genmask)
-@@ -392,6 +407,22 @@ static struct nft_table *nf_tables_table
- return ERR_PTR(-ENOENT);
- }
-
-+static struct nft_table *nf_tables_table_lookup_byhandle(const struct net *net,
-+ const struct nlattr *nla,
-+ u8 genmask)
-+{
-+ struct nft_table *table;
-+
-+ if (nla == NULL)
-+ return ERR_PTR(-EINVAL);
-+
-+ table = nft_table_lookup_byhandle(net, nla, genmask);
-+ if (table != NULL)
-+ return table;
-+
-+ return ERR_PTR(-ENOENT);
-+}
-+
- static inline u64 nf_tables_alloc_handle(struct nft_table *table)
- {
- return ++table->hgenerator;
-@@ -438,6 +469,7 @@ static const struct nla_policy nft_table
- [NFTA_TABLE_NAME] = { .type = NLA_STRING,
- .len = NFT_TABLE_MAXNAMELEN - 1 },
- [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
-+ [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
- };
-
- static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
-@@ -459,7 +491,9 @@ static int nf_tables_fill_table_info(str
-
- if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
- nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
-- nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
-+ nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
-+ nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
-+ NFTA_TABLE_PAD))
- goto nla_put_failure;
-
- nlmsg_end(skb, nlh);
-@@ -718,6 +752,7 @@ static int nf_tables_newtable(struct net
- INIT_LIST_HEAD(&table->flowtables);
- table->family = family;
- table->flags = flags;
-+ table->handle = ++table_handle;
-
- nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
- err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
-@@ -835,11 +870,18 @@ static int nf_tables_deltable(struct net
- struct nft_ctx ctx;
-
- nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
-- if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
-+ if (family == AF_UNSPEC ||
-+ (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
- return nft_flush(&ctx, family);
-
-- table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME], family,
-- genmask);
-+ if (nla[NFTA_TABLE_HANDLE])
-+ table = nf_tables_table_lookup_byhandle(net,
-+ nla[NFTA_TABLE_HANDLE],
-+ genmask);
-+ else
-+ table = nf_tables_table_lookup(net, nla[NFTA_TABLE_NAME],
-+ family, genmask);
-+
- if (IS_ERR(table))
- return PTR_ERR(table);
-
-@@ -1596,6 +1638,7 @@ static int nf_tables_delchain(struct net
- struct nft_rule *rule;
- int family = nfmsg->nfgen_family;
- struct nft_ctx ctx;
-+ u64 handle;
- u32 use;
- int err;
-
-@@ -1604,7 +1647,12 @@ static int nf_tables_delchain(struct net
- if (IS_ERR(table))
- return PTR_ERR(table);
-
-- chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
-+ if (nla[NFTA_CHAIN_HANDLE]) {
-+ handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
-+ chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
-+ } else {
-+ chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
-+ }
- if (IS_ERR(chain))
- return PTR_ERR(chain);
-
-@@ -2579,6 +2627,7 @@ static const struct nla_policy nft_set_p
- [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
- .len = NFT_USERDATA_MAXLEN },
- [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
-+ [NFTA_SET_HANDLE] = { .type = NLA_U64 },
- };
-
- static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
-@@ -2622,6 +2671,22 @@ static struct nft_set *nf_tables_set_loo
- return ERR_PTR(-ENOENT);
- }
-
-+static struct nft_set *nf_tables_set_lookup_byhandle(const struct nft_table *table,
-+ const struct nlattr *nla, u8 genmask)
-+{
-+ struct nft_set *set;
-+
-+ if (nla == NULL)
-+ return ERR_PTR(-EINVAL);
-+
-+ list_for_each_entry(set, &table->sets, list) {
-+ if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
-+ nft_active_genmask(set, genmask))
-+ return set;
-+ }
-+ return ERR_PTR(-ENOENT);
-+}
-+
- static struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
- const struct nlattr *nla,
- u8 genmask)
-@@ -2738,6 +2803,9 @@ static int nf_tables_fill_set(struct sk_
- goto nla_put_failure;
- if (nla_put_string(skb, NFTA_SET_NAME, set->name))
- goto nla_put_failure;
-+ if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
-+ NFTA_SET_PAD))
-+ goto nla_put_failure;
- if (set->flags != 0)
- if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
- goto nla_put_failure;
-@@ -3149,6 +3217,7 @@ static int nf_tables_newset(struct net *
- set->udata = udata;
- set->timeout = timeout;
- set->gc_int = gc_int;
-+ set->handle = nf_tables_alloc_handle(table);
-
- err = ops->init(set, &desc, nla);
- if (err < 0)
-@@ -3208,7 +3277,10 @@ static int nf_tables_delset(struct net *
- if (err < 0)
- return err;
-
-- set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
-+ if (nla[NFTA_SET_HANDLE])
-+ set = nf_tables_set_lookup_byhandle(ctx.table, nla[NFTA_SET_HANDLE], genmask);
-+ else
-+ set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
- if (IS_ERR(set))
- return PTR_ERR(set);
-
-@@ -4277,6 +4349,21 @@ struct nft_object *nf_tables_obj_lookup(
- }
- EXPORT_SYMBOL_GPL(nf_tables_obj_lookup);
-
-+struct nft_object *nf_tables_obj_lookup_byhandle(const struct nft_table *table,
-+ const struct nlattr *nla,
-+ u32 objtype, u8 genmask)
-+{
-+ struct nft_object *obj;
-+
-+ list_for_each_entry(obj, &table->objects, list) {
-+ if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
-+ objtype == obj->ops->type->type &&
-+ nft_active_genmask(obj, genmask))
-+ return obj;
-+ }
-+ return ERR_PTR(-ENOENT);
-+}
-+
- static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
- [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
- .len = NFT_TABLE_MAXNAMELEN - 1 },
-@@ -4284,6 +4371,7 @@ static const struct nla_policy nft_obj_p
- .len = NFT_OBJ_MAXNAMELEN - 1 },
- [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
- [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
-+ [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
- };
-
- static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
-@@ -4431,6 +4519,8 @@ static int nf_tables_newobj(struct net *
- goto err1;
- }
- obj->table = table;
-+ obj->handle = nf_tables_alloc_handle(table);
-+
- obj->name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
- if (!obj->name) {
- err = -ENOMEM;
-@@ -4477,7 +4567,9 @@ static int nf_tables_fill_obj_info(struc
- nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
- nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
- nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
-- nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
-+ nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
-+ nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
-+ NFTA_OBJ_PAD))
- goto nla_put_failure;
-
- nlmsg_end(skb, nlh);
-@@ -4675,7 +4767,7 @@ static int nf_tables_delobj(struct net *
- u32 objtype;
-
- if (!nla[NFTA_OBJ_TYPE] ||
-- !nla[NFTA_OBJ_NAME])
-+ (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
- return -EINVAL;
-
- table = nf_tables_table_lookup(net, nla[NFTA_OBJ_TABLE], family,
-@@ -4684,7 +4776,12 @@ static int nf_tables_delobj(struct net *
- return PTR_ERR(table);
-
- objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
-- obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
-+ if (nla[NFTA_OBJ_HANDLE])
-+ obj = nf_tables_obj_lookup_byhandle(table, nla[NFTA_OBJ_HANDLE],
-+ objtype, genmask);
-+ else
-+ obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME],
-+ objtype, genmask);
- if (IS_ERR(obj))
- return PTR_ERR(obj);
- if (obj->use > 0)
-@@ -4756,6 +4853,7 @@ static const struct nla_policy nft_flowt
- [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
- .len = NFT_NAME_MAXLEN - 1 },
- [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
-+ [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
- };
-
- struct nft_flowtable *nf_tables_flowtable_lookup(const struct nft_table *table,
-@@ -4773,6 +4871,20 @@ struct nft_flowtable *nf_tables_flowtabl
- }
- EXPORT_SYMBOL_GPL(nf_tables_flowtable_lookup);
-
-+struct nft_flowtable *
-+nf_tables_flowtable_lookup_byhandle(const struct nft_table *table,
-+ const struct nlattr *nla, u8 genmask)
-+{
-+ struct nft_flowtable *flowtable;
-+
-+ list_for_each_entry(flowtable, &table->flowtables, list) {
-+ if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
-+ nft_active_genmask(flowtable, genmask))
-+ return flowtable;
-+ }
-+ return ERR_PTR(-ENOENT);
-+}
-+
- #define NFT_FLOWTABLE_DEVICE_MAX 8
-
- static int nf_tables_parse_devices(const struct nft_ctx *ctx,
-@@ -4981,6 +5093,8 @@ static int nf_tables_newflowtable(struct
- return -ENOMEM;
-
- flowtable->table = table;
-+ flowtable->handle = nf_tables_alloc_handle(table);
-+
- flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
- if (!flowtable->name) {
- err = -ENOMEM;
-@@ -5055,8 +5169,14 @@ static int nf_tables_delflowtable(struct
- if (IS_ERR(table))
- return PTR_ERR(table);
-
-- flowtable = nf_tables_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
-- genmask);
-+ if (nla[NFTA_FLOWTABLE_HANDLE])
-+ flowtable = nf_tables_flowtable_lookup_byhandle(table,
-+ nla[NFTA_FLOWTABLE_HANDLE],
-+ genmask);
-+ else
-+ flowtable = nf_tables_flowtable_lookup(table,
-+ nla[NFTA_FLOWTABLE_NAME],
-+ genmask);
- if (IS_ERR(flowtable))
- return PTR_ERR(flowtable);
- if (flowtable->use > 0)
-@@ -5089,7 +5209,9 @@ static int nf_tables_fill_flowtable_info
-
- if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
- nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
-- nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)))
-+ nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
-+ nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
-+ NFTA_FLOWTABLE_PAD))
- goto nla_put_failure;
-
- nest = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK);
projects / openwrt / staging / wigyori.git / blobdiff